Beruflich Dokumente
Kultur Dokumente
April 2007
13865 Sunrise Valley Drive, Herndon, VA 20171 Tel: +1 703.648.8000 +1 866.345.0983 www.idirect.net
-1-
As the ability to monitor satellite transmissions grows increasingly sophisticated, the need to implement increased levels of security becomes even more critical. In combatant situations, where even a small spike in traffic can be a critical piece of intelligence, the need to mask any communications activity becomes readily apparent. The National Security Agency (NSA) has outlined the following vulnerabilities inherent in an IP based TDMA transmission that must be addressed in order to provide true Transmission Security, or TRANSEC:
Channel Activity The ability to secure transmission energy to conceal traffic volumes. Control Channel Information Disguise traffic volumes to secure traffic source and destination. Hub and Remote Unit Validation Ensuring remote terminals connected to the network are authorized users.
Anti-Jam and Low Probability of Intercept While a consideration, this is not a mandate by the NSA or any other organization.
This paper will discuss elements and considerations of providing a TRANSEC compliant IP based VSAT network and the approach iDirect Government Technologies has taken to implement TRANSEC. TRANSEC requires all network control channels and Management & Control (M&C) data to be encrypted and, that any and all traffic engineering information be obfuscated from an adversary. For example, TRANSEC requires a communications channel appear completely full to an adversary even if little or no actual data is flowing. This is contrasted with Communications Security or COMSEC, where the actual communications (e.g. voice, video or data stream) is encrypted but certain header information is sent in the clear. An example of COMSEC encryption in an IP network includes any High Assurance IP Encryptor (HAIPE) such as a KG 175 TACLANE or KG 235 SECTERA. While the encryption of a HAIPE device is virtually impenetrable, the information in the IP header including the source address, destination address and most importantly the ToS field are in the clear. With the IP header of a HAIPE encrypted packet in the clear an adversary can determine how much of the traffic stream is voice, video or data. More significantly an adversary could determine when high priority flash-override traffic has been initiated and from which location. In an SCPC satellite network topology, achieving, TRANSEC compliance is relatively straight forward. For SCPC connections, a bulk encryptor such as a KIV 19A is employed to encrypt any data and control information traversing the network. If HAIPE COMSEC (High Assurance Internet Protocol Encryption,) encryption is employed in a TRANSEC SCPC network, the IP header of the HAIPE packet would be encrypted by the bulk encryptor prior to being transmitted to the satellite. In addition, since an SCPC link is static and always on and no control information needs to be exchanged between the SCPC modems, all of the TRANSEC requirements are met. In a TDMA network TRANSEC compliance is substantially more difficult. A TDMA network dynamically allocates bandwidth to remotes; therefore, there must be some type of control information transmitted to each device in the network. This control data, containing traffic engineering information, as well as information available from a HAIPE encrypted IP packet header can be exploited by an adversary. For example, anomalous traffic volume to a specific remote can indicate new activity in that area while varying ratios of voice to data traffic can denote the distribution of intelligence (data) compared to lower priority voice traffic.
13865 Sunrise Valley Drive, Herndon, VA 20171 Tel: +1 703.648.8000 +1 866.345.0983 www.idirect.net
-2-
The security vulnerabilities of an IP based TDMA transmission have been defined in a number of NSA and DoD documents including the NSAs Kubic document and DoDs Deployed TRANSEC Whitepaper. Both papers define the security vulnerabilities of TDMA VSAT network. Following is an outline of the challenges that must be addressed according to the NSA and DoD and iDirect Government Technologies response to those requirements.
Channel Activity
Challenge The first vulnerability that exists in a TDMA network is the availability of traffic engineering information. In an SCPC network, the link is static with no variation in transmission characteristics based on end user communications. Therefore an adversary looking at a satellite transponder with a spectrum analyzer will see a constant RF signal. This is contrasted with a TDMA network. A TDMA in-route carrier energizes and de-energizes as traffic flows and stops. The on and off nature of a TDMA inroute is the natural extension of the ability to allocate satellite transponder space to remotes which have transient demands. While this characteristic makes TDMA networks much more bandwidth efficient, it allows an adversary to determine peak periods of activity, identify unusual or unexpected activity spikes and identify locations of remotes that have remained quiet for a period of time and suddenly experience increased traffic volumes. The obvious risk in having this information in the hands of an adversary is the potential to extrapolate timing, location of scale of strategic activity. Solution iDirect Government Technologies has implemented free slot allocation in its TDMA bandwidth distribution algorithm. With free slot allocation, an adversary snooping satellite transponder energies will see a constant wall of data regardless of traffic profiles. As the name implies, free slot allocation keeps the in-routes active regardless of actual traffic flows. Free slot allocation preserves the efficiencies of a TDMA system while obfuscating actual traffic volumes, negating the risk of using transmission activity as an intelligence gathering mechanism.
-3-
transmitted HAIPE IP header itself is AES encrypted. Additionally, the iDirect TRANSEC TDMA slot is a fixed size, again to obfuscate any traffic characteristics. This Layer 2 encryption solution solves all existing control channel vulnerabilities. The iDirect Layer 2 encryption method goes a step beyond to feature over-the-air key update and a unique Layer 2 frame format including an Initialization Vector which ensures randomization of repetitive data streams. The net result is that adversaries are precluded from detecting any repetitive pattern, which can aid in deciphering encryption algorithms.
TDMA TRANSEC SLOT Encryption Header IV Seed Key ID Enc Demand Segment LL Headers & Payload
Figure 1
FEC Coding
13865 Sunrise Valley Drive, Herndon, VA 20171 Tel: +1 703.648.8000 +1 866.345.0983 www.idirect.net
-4-
Conclusion
There are inherent benefits to the IP based TDMA platform that iDirect utilizes, with respect to bandwidth efficiency, scalability and the scope of applications that it enables. There also inherent security risks with a TDMA platform. The iDirect TRANSEC architecture is able to provide the highest levels of network security while maintaining the efficiencies and benefits of the TDMA architecture. iDirect Government Technologies has implemented the only TRANSEC and COMSEC compliant network architecture in the VSAT industry available today, which exceeds the requirements defined by NSA and DoD, while ensuring the QoS characteristics of the network are preserved.
13865 Sunrise Valley Drive, Herndon, VA 20171 Tel: +1 703.648.8000 +1 866.345.0983 www.idirect.net
-5-